Description

Lightbend Alpakka Kafka before 5.0.0 logs its configuration as debug information, and thus log files may contain credentials (if plain cleartext login is configured). This occurs in akka.kafka.internal.KafkaConsumerActor.

Remediation

References

https://akka.io/security/alpakka-kafka-cve-2023-29471.html

https://github.com/akka/alpakka-kafka/issues/1592

Related Vulnerabilities

CVE-2010-1330 Vulnerability in maven package org.jruby:jruby

CVE-2022-32531 Vulnerability in maven package org.apache.bookkeeper:bookkeeper-common

CVE-2023-50768 Vulnerability in maven package org.sonatype.nexus.ci:nexus-jenkins-plugin

CVE-2021-21120 Vulnerability in npm package electron

CVE-2023-38700 Vulnerability in npm package matrix-appservice-irc

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Issue Tracking